Summary

Prevent non-superusers from modifying site settings

Review Request #8330 — Created Aug. 15, 2016 and submitted Aug. 19, 2016, 2:14 p.m.

Information

Owner

brennie

Repository

Review Board

Branch

release-2.5.x

Bugs

Depends On

~~8329~~

Commit

e999957...

Reviewers

Groups

reviewboard

People

Description

Previously, any staff member (superuser or non-superuser) could change
any of the site settings. We now prevent all non-superuser staff members
from accessing site settings views so that they cannot. A new decorator
(similar to Django's staff_member_required) has been added to
accomplish this.

Testing Done


Manually verified that superusers can still change settings.
Manually verified that non-superusers are shown a permission denied

  page.
Manually verified that unauthenticated users are shown a login form.

Files

Issues

Description	From	Last Updated
This is no longer correct. It should probably also mention that users should use @login_required first.	david	Aug. 18, 2016, 4:10 p.m.
I think it's a little confusing to redirect to the login page if a user is already logged in. Can …	david	Aug. 16, 2016, 5:33 p.m.
It's only luck that's making flake8 not complain about this. Can we put all the arguments on the next line …	david	Aug. 16, 2016, 5:33 p.m.

Tool: PEP8 Style Checker
Processed Files:
    reviewboard/admin/views.py
    reviewboard/admin/decorators.py



Tool: Pyflakes
Processed Files:
    reviewboard/admin/views.py
    reviewboard/admin/decorators.py

reviewboard/admin/decorators.py (Diff revision 1)

The issue has been resolved. Show all issues

I think it's a little confusing to redirect to the login page if a user is already logged in. Can we instead show a "permission denied" error?

reviewboard/admin/decorators.py (Diff revision 1)

The issue has been resolved. Show all issues

It's only luck that's making flake8 not complain about this. Can we put all the arguments on the next line and indented 4 spaces from the return?

Commit:

cdf98e896c37c1117b9fe8357481a4635ec4fb08

160be56942b316f3040b6e68f1b19aa610cce726

Diff:

Revision 2 (+54 -3)

Show changes

	reviewboard/admin/decorators.py
	reviewboard/admin/views.py
	reviewboard/static/rb/css/pages/admin.less
	reviewboard/templates/admin/permission_denied.html

Added Files:

Tool: Pyflakes
Processed Files:
    reviewboard/admin/views.py
    reviewboard/admin/decorators.py

Ignored Files:
    reviewboard/templates/admin/permission_denied.html
    reviewboard/static/rb/css/pages/admin.less



Tool: PEP8 Style Checker
Processed Files:
    reviewboard/admin/views.py
    reviewboard/admin/decorators.py

Ignored Files:
    reviewboard/templates/admin/permission_denied.html
    reviewboard/static/rb/css/pages/admin.less

reviewboard/admin/decorators.py (Diff revisions 1 - 2)

The issue has been resolved. Show all issues

This is no longer correct.

It should probably also mention that users should use @login_required first.

Commit:

160be56942b316f3040b6e68f1b19aa610cce726

e999957508a7d4091507b8d0b9cc3eb207c037df

Diff:

Revision 3 (+71 -3)

Show changes

	reviewboard/admin/decorators.py
	reviewboard/admin/views.py
	reviewboard/static/rb/css/pages/admin.less
	reviewboard/templates/admin/permission_denied.html

Tool: Pyflakes
Processed Files:
    reviewboard/admin/views.py
    reviewboard/admin/decorators.py

Ignored Files:
    reviewboard/templates/admin/permission_denied.html
    reviewboard/static/rb/css/pages/admin.less



Tool: PEP8 Style Checker
Processed Files:
    reviewboard/admin/views.py
    reviewboard/admin/decorators.py

Ignored Files:
    reviewboard/templates/admin/permission_denied.html
    reviewboard/static/rb/css/pages/admin.less

Ship it!

"Testing done" has an extra "Testing done"

Testing Done:: ~
Testing done:
~ - Manually verified that superusers can still change settings.
~ - Manually verified that non-superusers are redirected to the login
~
Manually verified that superusers can still change settings.
~
Manually verified that non-superusers are shown a permission denied
page.
~
Manually verified that unauthenticated users are shown a login form.
- page.

Status:: Completed
Change Summary:: Pushed to release-3.0.x (5480b16)

~		Testing done:
~		- Manually verified that superusers can still change settings.
~		- Manually verified that non-superusers are redirected to the login
	~	Manually verified that superusers can still change settings.
	~	Manually verified that non-superusers are shown a permission denied page.
	~	Manually verified that unauthenticated users are shown a login form.
-		page.